An app that China is using to track attendees at the Beijing Olympics next month has raised concerns from a cybersecurity watchdog about “a simple but devastating flaw” that it says poses privacy concerns.
The Citizen Lab, based at the University of Toronto, said in an extensive report by research associate Jeffrey Knockel that the mandatory MY2022 app fails to validate some SSL certificates, which could leave open information to being intercepted by a malicious host, as reported by The Canadian Press.Those who attend the Olympics, including athletes and journalists, are required to download the app and upload their health and vaccination information to track potential outbreaks of COVID-19. The report warns that sensitive data even unrelated to medical information could leak given the flaws in the app, which was built by the Beijing Organizing Committee.
“The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” Knockel warned.Citizen Lab said it had notified the Chinese organizing committee for the Games in December about the potential issues but had never received a response.
Pointing out how it remained uncertain if the list was being actively used to censor such topics, Knockel said, “We don’t know whether they intended for it to be inactive or whether they intended for it to be active, but either way, it’s something that….can be enabled at the flick of a switch.”
“China has a history of undermining encryption technology to perform political censorship and surveillance,” Knockel wrote.
“As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence,” Knockel continued.
“However, the case for the Chinese government sabotaging MY2022’s encryption is problematic,” he added.